dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Support licenses without spdx ids; add scancode LicenseDB as an additional datasource

Open mawl opened this issue 4 years ago • 5 comments

Hi there,

First of all, dependency-track is a great piece of software - thanks for your work.

Current Behavior:

Actually only licenses with spdx ids are supported.

Proposed Behavior:

Full support licenses without spdx ids (categorization, alerting etc.) - by adding them manually (with api/ui) and/or by using https://scancode-licensedb.aboutcode.org.

OSS Review Toolkit, for example, uses scancode license ids as an additional identifier: https://github.com/oss-review-toolkit/ort/tree/master/spdx-utils/src/main/resources/licenserefs

Best Regards, Marco

mawl avatar Oct 05 '21 12:10 mawl

Wow. Thanks for educating me on https://scancode-licensedb.aboutcode.org/. I had no idea this resource existed. 🎉

DT supports unresolved license names, but they have to come in on an SBOM. See https://cyclonedx.org/use-cases/#license-compliance

But you're correct. I do not think there's a way to specify an unresolved license name via the UI or API. This would be a good enhancement.

stevespringett avatar Oct 05 '21 21:10 stevespringett

@stevespringett Since this is something I need too, to be able to use some custom licenses in policies, how would you expect this to work in its easiest way? Would an API endpoint to add a new license to the existing license-table be enough? From what I see, the LICENSEID is a required column and other code probably relies on it, so one would have to define that ID even though its not the SPDX id. Would that be fine anyway for an easy solution? Edit: Since SPDX seems to explicitly allow custom license-ids prefixed by "LicenseRef-", if I understand that correctly, I think that would be a valid solution. Would you agree?

rkg-mm avatar Nov 08 '22 23:11 rkg-mm

Would an API endpoint to add a new license to the existing license-table be enough?

I would not want to do this. I'm not sure if there's an SLA, rate limiting, etc in place on their service. I would rather fetch the JSON files from their GitHub repo upon database initialization.

From what I see, the LICENSEID is a required column and other code probably relies on it, so one would have to define that ID even though its not the SPDX id. Would that be fine anyway for an easy solution?

License.licenseId is not a required field in DT. So we could add the non-SPDX licenses by name only, OR we could use the scancode license IDs that begin with LicenseRef-*

Since SPDX seems to explicitly allow custom license-ids prefixed by "LicenseRef-", if I understand that correctly, I think that would be a valid solution. Would you agree?

Yes, that would work.

The best way to get support for this incorporated into DT would be through a pull request.

stevespringett avatar Nov 10 '22 03:11 stevespringett

@stevespringett not sure if you got my idea, i wasn't thinking about integrating the other license sources. More useful for me is a way to just simply create my own licenses via API. Thats what I was talking about. We just created a PR for this simple solution.

rkg-mm avatar Nov 14 '22 16:11 rkg-mm

FTR, I think the enhancement implemented in #2153 is a good compromise between wanting more flexibility and keeping the model clean. Admin users will be able to add licenses if desired, but there is no automatism to pollute the table. It does not address the original ask in this ticket though, so I'll leave this open.

nscuro avatar Nov 18 '22 09:11 nscuro